Modbus for Field Technicians

Transcription

1 Modbus for Field Technicians Revision 1.0 Any reproduction or re-transmission in whole or in part of this work is expressly prohibited without the prior consent of Chipkin Automation Systems Inc. Copyright Notice Copyright 2010 Peter Chipkin who has given permission to Chipkin Automation Systems to publish this work. Mailing Address: 3495 Cambie St, # 211, Vancouver, BC, Canada, V5Z 4R3 Thanks to Liz Lucica for all your work in putting this booklet together. Modbus is a registered trademark of Modicon. Page 1

2 Page 2 Modbus for Field Technicians

3 TABLE OF CONTENTS MODBUS - Introduction There are 4 types of data There are (were) a Max of 9999 points of each data type Digit vs 6 Digit Addressing What about Scaling in Modbus Floating Point Numbers in Modbus Byte/Word Order An ambiguous nightmare Bit Order Sometimes it s a problem too Modbus and Gateways What about errors / exceptions There can only be one master on a Modbus Serial Trunk Multiple Clients of a Modbus slave Old device slow processors limited capability Modbus Ascii, JBUS, Enron and other Variants Modbus RS232, RS485 and TCP/IP How Modbus is Transported Modbus on RS Modbus on RS Modbus Resources, Testing and Trouble Shooting What to take to site with you Trouble Shooting Modbus TCP/IP Required tools How to Capture with Wireshark Capture Filters Display Filtering Searching Using the CAS Modbus Scanner Page 3

6 Because it is so commonly used, because it is so limited, because some vendors went to a lot of trouble and because some vendors hired bad programmers, Modbus, as simple as it seems, can offer lots of complications. Modbus was invented to transfer data as well as to program/configure PLC s. For the purposes of this article, we are only interested in the data transfer functions. 1. THERE ARE 4 TYPES OF DATA Holding Registers An area of 16 bit words. Intended as read / write. Originally used as programmer scratch pad area and for analog outputs in old Modicon PLC s. Also known as 4xxxx registers (xxxx is the place holder for the specific holding register s point number). Input Registers Think Analog inputs. 16 bit words. Also known as 3xxxx registers (xxxx is the place holder for the specific input register s point number). Page 6

7 Inputs Think Binary inputs. Also known as Inputs. Also known as 1xxxx inputs (xxxx is the place holder for the specific input s point number). Coils Think Binary outputs. Named coils after the coil in a relay which is activated to energize a circuit. The original PLC s were relay replacement machines. Also known as Outputs. Also known as 0xxxx inputs (xxxx is the place holder for the specific input s point number). Page 7

8 2. THERE ARE (WERE) A MAX OF 9999 POINTS OF EACH DATA TYPE When Modbus was invented they thought 9,999 items of each memory type were enough. Most vendors ignore this limit today they make clients that can read more and they make devices which can serve more if required. Older clients cannot poll for more than 9,999 items. Even though 9,999 was an arbitrary choice there is a practical limit imposed by the protocol. The Modbus message uses a 16 bit word to identify the point number to be read/written. The largest number that can fit in 16 bits is and hence the highest point number that can be read is point Most vendors, these days, allow their software to read any points in this range , We call this five digit addressing. So now we come to a naming problem. Page 8

9 3. 5 DIGIT VS 6 DIGIT ADDRESSING If is the 1 st, the 2 nd. We get to 49,999 and then what? 50,000? No! We introduce an extra zero. Instead of we talk about , becomes Thus , , , We call this six digit addressing. There are 4 types of data - They are ambiguously identified. When Modbus was defined, the inventors gave name and identifiers to each data point in each of the 4 memory areas. Each point was given a public and a hidden identifier. When these two get confused so do we. Holding registers are most commonly identified as Etc The 4 indicated Holding Register. The remainder of the number is the Holding Register number means the 1 st Holding Register means the 2 nd Holding Register. Page 9

11 The same discussion applies to the other data types. Publicly we number them from 1. Privately (inside the messages) we number them by their offset from the 1 st one (i.e. we number the 1 st one as zero.) Another Factor Some Vendors do not use the 0xxxx, 1xxxx, 3xxxx, 4xxxx notations when itemizing data points. In the example below the Vendor doc doesn t tell you if it s a holding register or input register and they are numbered from 1. You would have to check the assumption that point number 1 is Page 11

12 4. WHAT ABOUT SCALING IN MODBUS Modbus does not provide a method for transporting large or Floating Point numbers or a mechanism for scaling analog values. A 16 bit word can only contain values in the range Only whole numbers are permitted. To work around this many server device manufacturers use multipliers and document them in their manuals. For example, to report a temperature of 58.5 the device reports a value of 585, and makes a note in the manual that the master should scale by 10. This scaling is achieved by adopting a convention between the client and the server. What about large numbers > Modbus does not provide a mechanism but 3 important schemes are widely used. Long Integers Two consecutive 16 bit words are interpreted as a 32 bit long integer. MK10 values Two consecutive words are used. The 1 st reports the number of units and the 2 nd reports the number of 10,000 s. Floating Point Numbers Two consecutive words are used and a scheme. (See section X) These schemes are conventions and not all servers or clients support them. The protocol does not identify these big numbers. Only the vendor docs do. What we mean by this is if you look at the byte stream in a Modbus Page 12

13 message there is no way of telling whether you are looking at two consecutive 16 bit words, or two consecutive words that should be interpreted as floating point, long or MK10 formats. Because of this you always have to look to the vendor docs. Read more in Appendix FLOATING POINT NUMBERS IN MODBUS Modbus was not designed to transport floating point numbers. After the protocol was released and in use some people came up with a scheme to using two consecutive 16 bit registers to transport one floating point number. The scheme is essentially a set of rules for interpreting the bits in the 2x registers as the elements of a floating point number (like a mini protocol). Other people came up with other schemes. One of these schemes has come to dominate. It is called standard IEEE754. Some devices (servers) do not support floating point numbers. Many clients (masters) do not support floating point numbers. A master and a server must use the same floating point scheme to work together. Read more in Appendix 4. Page 13

14 6. BYTE/WORD ORDER AN AMBIGUOUS NIGHTMARE It takes two bytes to make a 16 bit word. These bytes can be arranged in two ways. When floating point, long integer or MK10 value is transported there are 4 bytes in two words. The order in which the words are sent as well as the order in which the bytes are packed into each word can change from device to device. How did this stupid situation come to be? Some microprocessors arrange the bytes in a word in one order and other microprocessors do it in the opposite order. Some programmers account for this and take steps for the device to serve its bytes in the standard order but some manufacturers had bad programmers who did not care and their device put out data in the wrong order. Most often you will learn of this issue the hard way the most common symptom the values you see in the client are not what you expect. The jargon word for the order in which bytes are packed into a word is Endianess. Here is an example of how this works. Each block represents one byte. The two bytes make a word. The value in each block is in decimal. 1 2 This can be interpreted as 1x = 258 (High Order or Most Significant Byte 1 st ) 1 + 2x256 = 513 Page 14

15 This is ambiguous. Here is how you resolve this Apply common sense - Which value is correct. Read the manual and look for the word Endianess or Byte Order. Some examples are provided below. Make an assumption The protocol spec requires the high order byte to be transmitted 1 st so assume it is. If your client / master allows, use a function to swap the byte order. These two FieldServer functions combine two 16 bits words using the IEEE754 rule and make a floating point number. There are two functions because they use the words in different orders. 2.i16-1.float-sw 2.i16-1.float Extract from a Manual. Show High order or Most Significant Byte is transmitted 1 st. This is how the spec requires a vendor to serve data. Page 15

16 7. BIT ORDER SOMETIMES IT S A PROBLEM TOO In older Modicon PLC s bits were numbered All modern systems use Notes in a Vendor manual indicate byte order. In this case, high order byte first thus this vendor meets the Modbus Spec. Page 16

17 8. MODBUS AND GATEWAYS A gateway is a device that makes data read using one protocol available using another protocol. For example you could read Modbus data from a power meter and serve that data using BACnet to a Building Automation System. What data must the gateway report if the Modbus is offline or the data cannot be read? It can report the last value read. How old is that value? In this example, we can exploit a property of each BACnet data object called Reliability. When the validity of the data is unknown, like when a field device is offline, we mark the BACnet objects as unreliable. Now a consumer of that data has enough information he knows the value and if it is reliable. It is his call whether to use the data or not. Modbus does not have an equivalent mechanism. If a gateway is doing the opposite, for example, reading BACnet data and serving that data using Modbus. If the BACnet link is broken the data validity is questionable. However, in Modbus there is no way of reporting this. The gateway can take one of two actions serve the invalid data or not serve the data by not responding to the poll. This is the strategy FieldServer gateways use. If the Data is invalid, the Gateway does not respond to a request for that data and allows the client to time out. Page 17

18 9. WHAT ABOUT ERRORS / EXCEPTIONS Modbus has a limited way of reporting errors. A server / slave device can respond to a message in a way that reports an error. These are called exception messages. If you are looking at a message byte stream, exceptions are easy to identify. QUERY Byte Contents Example 1 Slave Address 0A 2 Function 01 3 Starting Address Hi 04 4 Starting Address Lo A1 Message is sent with 5 No. of Coils Hi 00 6 No. of Coils Lo function=01 Response has the most significant bit of the function byte set == EXCEPTION EXCEPTION RESPONSE Byte Contents Exception Example number = 1 Slave Address 0A 2 Function 81 next byte=2 3 Exception Code 02 Page 18

19 Code Name / Meaning 1 ILLEGAL FUNCTION The function code received in the query is not an allowable action for the slave. If a Poll Program Complete command was issued, this code indicates that no program function preceded it. 2 ILLEGAL DATA ADDRESS The data address received in the query is not an allowable address for the slave. 3 ILLEGAL DATA VALUE A value contained in the query data field is not an allowable value for the slave. 4 SLAVE DEVICE FAILURE An unrecoverable error occurred while the slave was attempting to perform the requested action. 5 ACKNOWLEDGE The slave has accepted the request and is processing it, but a long duration of time will be required to do so. This response is returned to prevent a timeout error from occurring in the master. The master can next issue a Poll Program Complete message to determine if processing is completed. 6 SLAVE DEVICE BUSY The slave is engaged in processing a long duration program command. The master should retransmit the message later when the slave is free. Page 19

20 10. THERE CAN ONLY BE ONE MASTER ON A MODBUS SERIAL TRUNK Modbus is a poll-response type of protocol. A master issues a message. If the address in the message matches the address of a server device it will respond (if it can). All other devices remain quiet all the time until they are sent a message with a matching address. The master must wait long enough to process the response before sending the next message. If it doesn t then its next poll and the response from the previous may overlap. When Modbus over Ethernet is used, more than one master can poll a server device for data. The number of queries that a server can process simultaneously is dependent on several factors does the vendor support multiple simultaneous socket connections and how many do they allow. Vendors hardly ever publish this information. Page 20

21 11. MULTIPLE CLIENTS OF A MODBUS SLAVE We are frequently asked how you deal with a situation where you have more than one client for a slave(s). The Modbus spec does not support this but we have a solution. The essence of the solution is to use a multi-port FieldServer. Connect each client to its own port and the slave(s) to their own ports. Each client will see a single virtual slave(s) on its network. This not only solves the problem but is extremely efficient. Of course the FieldServer needs to be correctly configured. In a situation like this we exploit the FieldServer technology known as Port Expansion. Figure 1: Normally it is not possible to connect two clients to the same slave. There are two primary reasons: 1) If you are using RS232 then there can only be two devices on the cable segment. 2) If you are using RS485 then the 2nd client will not know to process the poll from the 1st client. It will cause errors. Page 21

22 Figure 2: Using a FieldServer with an appropriate configuration solves this problem whether you are using RS232 or RS485. Page 22

23 Figure 3: Each client is on its own port. Thus each client does not see poll messages from the other client. In this example client#1 sends a poll to the FieldServer. Then it is directed to a specific slave address. When the poll arrives at the FieldServer, the FieldServer checks the address against its configuration. If there is no match then an exception response is sent. If there is a match the FieldServer determines the port that the matching slave is configured on. The poll message is then relayed to the slave port. Page 23

24 Figure 4: The slave responds. The FieldServer relays the response to client#1. The FieldServer also extracts the data from the response and stores in a temporary location (FieldServer calls that a cache block). The duration/expiry of the storage is configurable. Page 24

25 Figure 5: If any client requests the same data (client#1 or #2) and the data has not expired then the FieldServer responds with data from the temporary storage. Figure 6: If any client requests different data or if the temporary data has expired then the match and relay process is repeated requesting the new data. Page 25

26 Figure 7: The slave responds, the response is relayed to the client doing the polling (Client#2 in this case) and the data is stored temporarily so that it is available to the other client. Page 26

27 12. OLD DEVICE SLOW PROCESSORS LIMITED CAPABILITY Many older devices have old microprocessors that can't do too much work at once. Often this microprocessor is used to run the device and handle the Modbus communication. It is not uncommon to see device with the following limitations. * You can only read one data point per message. I.e. length must be 1. * You must have a delay between sending messages. 13. MODBUS ASCII, JBUS, ENRON AND OTHER VARIANTS There are several variants of Modbus. They are not interoperable. I.e. A Modbus RTU master cannot read a Modbus ASCII field device. ASCII an attempt to make the Modbus message human readable but encoding the hex value of each byte in ascii. Stupid. Doubles the message length. Jbus Highway robbery. A Modbus RTU variation that allows more than 9999 of each data type to be read. These days most vendors include this in their RTU drivers so you don t have to pay extra. Enron Came up with a way of carrying other data in the Modbus messages. They used multiple words to form data objects. Essentially a set of conventions. Both the client and server must support them. Page 27

28 Page 28 Modbus for Field Technicians

29 MODBUS RS232, RS485 AND TCP/IP Page 29

30 14. HOW MODBUS IS TRANSPORTED There are 3 main physical layers for Modbus. RS232 : One master and one slave. Typically a cable with 3 conductors with max length of approx a couple of hundred feet. Usually easy. Sometimes some jumpers are required at one end to defeat handshaking. RS485: One master and up to 128 slaves but take care to read more if you plan on more than 32. There are two wiring systems so called 2-wire and so called 4-wire. They can be incompatible but usually 4-wire devices can be made to work on 2-wire systems. Each device must have a unique address and all devices must be set to the same baud rate, data bits, stop bits and parity. Usually easy to implement. The RS485 physical layer allows up to 128 devices to be installed on a single network with a max physical length of 4000ft and speeds up to 115k baud. Using repeaters allows the length to be increased. Compare to Ethernet where the spec allows a max of 100 meters (330ft) on a single unrepeated segment. TCP/IP: All devices are essentially peers. A single device can be a master and a server. Routers can be used to connect sub-nets together. Broadcasts are almost ever used so are not an issue. Page 30

31 15. MODBUS ON RS232 RS232 requires a minimum of 3 conductors to connect the two devices. Rx, Tx and Ground. Some devices implement hardware handshaking. This means that before they send a message some voltage must be applied to one of the other pins on the port. If hardware handshaking is active on the device, then you will never get a response until you bypass it or implement it. We recommend bypassing it because there are often differences in the ways that vendors implemented it. Here are typical jumper schemes that can be applied to defeat handshaking. Connect these pins together on the 9 Pin D-Type connector connected to the server device. Pin Function 1 DCD 4 DTR 6 DSR And Pin Function 7 RTS 8 CTS 9 RI (often omitted) Page 31

32 16. MODBUS ON RS485 Search the Internet on RS485 you will find Bob Perrins s article called the THE ART AND SCIENCE OF RS-485. It is his reference to Art that makes RS485 bad. What he means is that RS485 is often non-trivial and getting a network working can rely more on experience and experimentation. Here is our simplified advice : Tip #1 3 Wires not 2 RS485 is a 3 conductor network. You take a huge risk by not installing the 3rd conductor. You risk blowing 485 ports, you risk unstable operation (works sometimes and doesn t work other times) and finally you risk re-installation. For a more detailed discussion read this article two-wire-rs485. The more power sources used to power devices, the greater the physical separation of devices, the less well-grounded devices and power sources are the greater the risk. Remember this statement: The so called Ground Terminal on a RS485 interface is not a connection to ground. It is a common reference signal. The voltage level on the Tx/Rx conductors are measured relative to this voltage level. You can (if you must) use a shield drain wire as the 3 rd conductor (ground reference conductor). Page 32

33 Tip #2 Connection Order Always connect the ground reference conductor first if you are connecting a device that is powered up or you are connecting your laptop an operating network. OR Always choose devices that have optical isolation - this almost always will protect the RS485 transmitter / receivers. Tip #3 Shield You can get away without the shield. The twisted pair used for Tx and Rx is more effective at noise cancellation than the shield. Tip #4 Cable Location Take care where you run your cables. It seems obvious not to wind your cable around other cables or sources of electricity / magnetism. People are often surprised to find that the worst source of induced noise are switching DC loads. Another big culprit are Variable Frequency drives. Page 33

34 Tip Advice #5 Cable Type Cable selection does make a difference. All cables offer impedance (resistance). Some cables are designed so that the impedance is relatively independent of distance. You want one of these cables. A clue to knowing if you selected one is to look at the cable s Nominal Impedance. If they quote a number such a 100Ohms you have a good cable. If they quote an impedance per meter/foot you have chosen the wrong kind. Page 34

36 Tip #6 Number of Devices per Trunk How do you put more than 32 devices on a single RS485 trunk? The simple answer is use a repeater but in practice one isn t always necessary. The RS485 standard is based on 32 devices. Since the standard was developed most RS485 chips present less than the full unit load originally specified. Today you get half and quarter load devices. Thus to see how many devices you can install you simply get the data sheets and add the loads. Look for UL on the data sheet. It stands for Unit Load. Tip #7 Cable Length Cable Lengths and Baud Rates Practically speaking you can go up to 4000 feet at baud rates up to baud. Above that you need to do a little math and reduce the length. For example, at 115k baud your cable should not be much longer than 2500 feet. However, the higher the baud rate the more sensitive the cable is to the quality of installation issues like how much twisted pair is unwound at each termination start to become very very important. Our advice: For longer networks with lots of devices, choose 38k400 baud over 76k800 baud and optimize using COV, separate networks and by setting the Max Master to a lower number. Page 36

37 Source: Ten Ways to Bulletproof RS-485 Interfaces National Semiconductor Application Note 1057 John Goldie October 1996 Tip #8 Bandwidth Issues How many devices to install on a single RS485 Trunk (Bandwidth Issues). There are non-electrical considerations to determine how many devices you put on a Modbus trunk network. It s not possible to provide a calculator to work out how many devices to install on a single network but the following list provides some help in assessing bandwidth considerations. Consider the following factors. Page 37

38 A single Modbus message can only read consecutive data points. If you need to read and you must either: read length=3 read length=1 and read length =3 (2 messages and 2 responses) A single Modbus message cannot read more than bit words. The more dispersed the Modbus points you are reading the more messages and responses you will need. For example. If you need to read and then you will need at least two messages because all the data cannot be read in one message. Some devices have more severe limits. For example Crestron can only read 8 registers at a time. A single Modbus message can only read data of one type. If you need to read a coil and a holding register you will need at last one message for each. There may be some latency in the server devices a time it takes to respond to messages. Some devices take up to 1 second between receiving a message and responding. Some devices can only be polled once per x seconds. What is the baud rate? Divide the baud rate by 10 to get approx characters per second. Divide the result by 2 to get approx number of words per second. Page 38

39 Thus at baud it takes approx to read 125 registers. Poll = 10 bytes at 1920 per sec Server latency Response = 125 words at 960 per sec. Client Latency (delay in storing response and sending next) Approx 0.15 secs to.35 secs with typical latencies. Tip #9 What Can Go Wrong What can go wrong with 485? Let s say you adopted all the best practices for installation of the network but you get intermittent or unacceptable performance because of packet loss, noise, collisions Then you should consider hiring an expert to resolve your problems because now you are in the Art part of RS485. These are some of the things they will look at. Reflections. Without a scope and expertise you won't know this is a factor. It is easy and cheap to eliminate. Look at the cable spec. Find the nominal impedance. Buy two resistors of the same value. At each end of the trunk install the resistors between the Tx and Rx terminals. If you don t have obvious ends of the trunk (because you created a star) then we recommend re-cabling to form a linear trunk or we wish you luck. Some devices have terminating resistors built into them. If the vendor did a poor job, the default is to have the resistor active and they must be disabled unless they are the terminating devices on the network. Read vendor doc. Page 39

40 Biasing, Idle State Biasing, Fail Safe Biasing, Anti Aliasing There are a whole string of terms uses as synonyms to describe this phenomenon. To use two wires (as opposed to full duplex 4 wire) for RS485 each device s transmitter and receiver must be set to an idle state to release the line for others use. Releasing the line means allowing it to float. It must not be allowed to float at any voltage level so devices have pull up/down resistors to pull the line to an allowable floating voltage (the floating state is also known as the tri-state.) The load presented by other devices on the network affects this floating so the resistor values may need to be changed depending on the number of devices installed and the values of the pull up/down resistors they are using. (You can imagine how tricky it is going to be to resolve this). If a device floats out of the specified range then to other devices it will look like the floating device isn t floating at all. The other devices will think that it is transmitting or receiving and thus blocking the line. The simplest way of knowing if this is a factor Does the device work properly when it is the only device on the network? When you install it in the full network other devices or this device stops working properly. This device and/or the pull up/down resistors of other devices are candidates for investigation. A number of vendors have a range of pull up/down resistors installed and allow you to change the selection using software or jumpers. Page 40

41 Line Drive On / Off To use two wires for RS485 each device s transmitter and receiver must be set to an idle state to release the line for others use. When a device wants to send, it must grab the line. When it has finished sending, it must release the line. You can see there are potential problems here. What happens if one device waits too long after sending its last bit before releasing the line it s possible that the other devices will miss some bits of data. Tip #10 Topology Take care with the topology. The best topology is a single trunk that in-outs on the terminal blocks of each device it connects. What do we mean by best? We mean the choice which is least likely to cause problems. Best arrangement. (Showing TX conductor for reference only) Page 41

42 Getting worse. Making the connections to the RS485 terminals, drops instead of connections starts to give the electrical signals all kinds of complicated paths for reflections and harmonics. It is obvious that if the drops are long and are not twisted then you also have more chance to induce noise. (Showing TX conductor for reference only) Page 42

43 Worst. Avoid Star configurations. They are so much harder to debug when it gets tricky. (Showing TX conductor for reference only) Page 43

44 Page 44 Modbus for Field Technicians

45 MODBUS RESOURCES, TESTING AND TROUBLE SHOOTING Page 45

46 17. WHAT TO TAKE TO SITE WITH YOU Here is a list of tools and resources you should carry with you to site for Modbus commissioning. 1. USB->485 converter CAS uses: USB-COMI-SI-M from M&cats=476&catid=494,476,199,461,106,1009, USB->232 Converter Any will do 3. Laptop 4. Wireshark packet sniffer software free download Page 46

47 5. CAS Modbus Scanner free download CAS Modbus Scanner is a utility to retrieve coils, inputs, holding registers, and input registers from a Modbus enabled device. Values retrieved from the device can be viewed in many different formats including Binary, HEX, Uint16, Int16, Uint32, Int32, and Float CAS Modbus Parser free download Have you ever needed to analyze a Modbus RTU message? The CAS Modbus RTU parser can analyze a Modbus RTU message and tell you if there are any errors in the message, what type of messages it is, what data is being written or read from your device, what device the message came from, and more Serial Break out box Page 47

49 11. Terminating Resistors Take 52.3, 75, 100, 120 and 150 Ohm resistors with you Watt is usually more than enough. Page 49

50 12. Gender Benders 13. Ethernet Patch cables 14. Hub A hub is not a switch. A hub can be used for trouble shooting whereas only as supervised switch can. Most switches are not supervised. For more information read Appendix 5. Page 50

51 Appendix 18. TROUBLE SHOOTING MODBUS TCP/IP REQUIRED TOOLS Hub or Supervised Switch Wireshark Free Download Tip #1: You might not capture the traffic if you don t use a hub. Read the article on hub and switches to understand why. Tip #2: You can select the packets you capture to reduce log file size by defining a capture filter before you start the capture. We suggest you to avoid this. If you are short of space you can select which packets you save. Tip #3: You can select which packets you view from the total log by defining a display filter. Tip #4: You can select which packets to save in the log files. Tip #5: You can search for particular packets. Page 51

52 HOW TO CAPTURE WITH WIRESHARK 1. Capture Main Menu 2. Interfaces On Capture Menu a) You get a list of network adapters. Pick the one connected to the network of interest. It s probably not the wireless adapter. Most often it s the adapter with the packet count increasing. b) Select the Start button or c) Select the options button to define a capture filter. Define the filter and click start. Page 52

53 3. A list of packets accumulates on the screen. 4. Apply a Display Filter. More on display filters later. For now simply type mbtcp into the filter field and click apply. Page 53

54 5. Find the packet you are interested in. Click on it to select it. A breakout of the selected packet s data is shown below the packet list. Page 54

55 6. You can break out the level of detail by expanding the sections of the packet. Think of a Modbus packet as a letter you send to a Modbus device. When you take it to the Modbus post office, the clerk says he does not understand the address. He passes it to the TCP/IP clerk. The TCP/IP clerk takes your letter and puts it in a bigger envelope. He addresses the envelope with a TCP/IP address. He passes it to the Ethernet post office clerk. The Ethernet clerk takes your letter and puts it in a bigger envelope. He addresses the envelope with a hardware address and sends it to that computer. When it arrives the process is reversed until finally the contents are passed to the Modbus application. Ethernet packets contain packets from other higher level protocols nested inside each other. You drill down to see the detail you want. In the example below you can see the Modbus packet nested inside an IP protocol packet which is in turn nested inside an Ethernet packet. Page 55

56 7. Drill down to see the Modbus info Before you start a capture you can specify a capture filter. The effect of the filter is to prevent all packets being captured. Doing this can save space when you save the log and it might make it easier to find the packets you are interested in. However, there is some risk that you might filter out the packets of interest. For example, a Modbus device might not operate correctly because it is being hammered with packets from another protocol being sent incorrectly to the Modbus device. Our advice is to capture as much as possible and then filter what is displayed. Page 56

57 CAPTURE FILTERS Here are some sample filters Examples: Capture only traffic to or from IP address : host Capture only traffic to or from IP address but exclude all FieldServer RUINET messages host and port not 1024 Capture traffic to or from a range of IP addresses: net /24 or net mask Capture traffic from a range of IP addresses: src net /24 or src net mask Page 57

58 Capture traffic to a range of IP addresses: dst net /24 or dst net mask Capture only Modbus traffic: Assumes every device is compliant and is using the standard port. port 502 Useful Hint : It is easy to sort packets by source or destination IP, Click the column headings. Useful Hint : You can mark, packets you find interesting. Then later you can save, display or print the marked packets. Page 58

59 DISPLAY FILTERING Useful Hint : Any capture filter can be used as a display filter. You can use the expression builder to build selection criteria for filters. SEARCHING Looking for messages to/from particular devices ip.addr == Sent to/sent From ip.dst_host == " " ip.src_host == " " Looking for messages to/from particular Modbus devices modbus_tcp.unit_id == 11 (look for all message which were sent to Modbus Device #11) You can use the expression builder to build filter expressions Expression Builder Page 59

60 From the drop down list of protocols there is one specifically related to Modbus. They are shown below Page 60

62 Add devices. The device number is the Modbus Device Number. Add requests polls for data. You can multiple requests for each device. Page 62

63 You can add multiple connections. More than one of each type. Each connection can have one or more device. Each device can have one or more requests. Page 63

64 Once connections, devices and requests have been defined you can scan for data, exit or edit the settings. To scan for data Double click a request. It will be executed once. You can have the request auto repeat by checking the Auto Update box. You will not get a response every time you poll. You may be polling the wrong device with the wrong IP address or wrong baud rate. You could be polling for points that don t exist there are many reasons. If you don t get a response this is called a timeout. Page 64

65 Data is displayed here in various formats. When displayed as floats or 32 bit integers, the utility uses two consecutive registers to calculate the result. The value may not be what you expect because of byte/word order issues. Page 65

66 20. CONVERTING MODBUS 16 BIT NUMBERS TO 32 BIT NUMBERS Often the Vendor documentation does not report the byte order in which registers are served or the order in which words must be combined to form 32 bit numbers. For this reason FieldServer provides 4 functions to convert Modbus 16 bit numbers to 32 bit numbers. 2.i16-1.i32 2.i16-1.i32-s 2.i16-1.i32-sw 2.i16-1.i32-sb Each of these functions takes 2x 16 bits numbers to form a 32 bit number. Each processes the bytes in a different order. Practical Tip: The easiest way to determine which function to use is to experiment. Look at the values in the FieldServer Data Arrays. If the values are obviously wrong try the other move functions. (Don t forget that some numbers may be scaled so the number you see in the Data Array may 10x or 100x too big / small). Page 66

Process Control and Automation using Modbus Protocol Modbus is the fundamental network protocol used in most industrial applications today. It is universal, open and an easy to use protocol. Modbus has

User Guide Modbus Communications for PanelView Terminals Introduction This document describes how to connect and configure communications for the Modbus versions of the PanelView terminals. This document

70072-0104-14 TECHNICAL 06/2009 Modbus and ION Technology Modicon Modbus is a communications protocol widely used in process control industries such as manufacturing. PowerLogic ION meters are compatible

Bacnet for Field Technicians Chipkin Automation Systems presents a short guide filled with practical information By Peter Chipkin Need Answers? Why cant I discover devices on another subnet? Why cant a

Modbus Frequently Asked Questions WP-34-REV0-0609-1/7 The Answer to the 14 Most Frequently Asked Modbus Questions Exactly what is Modbus? Modbus is an open serial communications protocol widely used in

Introduction: Implementation of the MVI56-MCM module for modbus communications: Initial configuration of the module should be done using the sample ladder file for the mvi56mcm module. This can be obtained

Networks Networking is all about sharing information and resources. Computers connected to a network can avail of many facilities not available to standalone computers: Share a printer or a plotter among

Chapter 2 TCP/IP Networking Basics A network in your home or small business uses the same type of TCP/IP networking that is used for the Internet. This manual provides an overview of IP (Internet Protocol)

Modbus RTU Master Communications This document describes the operation of Modbus RTU Master from the user interface point of view. Use this information as a supplement to the Serial Communications User

7.7 Ethernet Communication (AFPX-COM5) 7.7.1 AFPX-COM5 Overview The communication cassette AFPX-COM5 has an Ethernet interface at the COM1 port and a 3-wire RS232C interface at the COM2 port. The Ethernet

Vehicle data acquisition using By Henning Olsson, OptimumG henning.olsson@optimumg.com Introduction: Data acquisition is one of the best tools to increase the understanding of vehicle behavior. One can

Products: EFA with EFA Scan, DVRM and DVMD with Realtime Monitor or Stream Explorer DVMD-B1 LAN / WAN Connection Of Instruments with Serial Interface By Using a Terminal Server Remote control of test and

Modbus and ION Technology Modicon Modbus is a communications protocol widely used in process control industries such as manufacturing. ACCESS meters are compatible with Modbus networks as both slaves and

RS-232 Introduction Rs-232 is a method used for transferring programs to and from the CNC machine controller using a serial cable. BobCAD-CAM includes software for both sending and receiving and running

POS function Marchen POS-DVR surveillance system is a professional surveillance integrated with POS system. By bringing video and POS transaction data together, the POS-DVR surveillance system provides

User Manual IC-485AI Note: This equipment has been tested and found to comply ith the limits for a Class A digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable

Application Note 83 Fundamentals of Serial Communications Due to it s relative simplicity and low hardware overhead (as compared to parallel interfacing), serial communications is used extensively within

MODBUS is the most popular industrial protocol being used today, for good reasons. It is simple, inexpensive, universal and easy to use. Even though MODBUS has been around since the past century nearly

April 2014 7 Serial Communications Objectives - To be familiar with the USART (RS-232) protocol. - To be able to transfer data from PIC-PC, PC-PIC and PIC-PIC. - To test serial communications with virtual

MDM192 MULTI-DROPS DIGITAL MODEM FOR PRIVATE LINE USER GUIDE Document reference : 9010709-03 If you have questions about the MDM192 or desire assistance, contact ETIC TELECOMMUNICATIONS at the following

Introduction to Network Security Lab 1 - Wireshark Bridges To Computing 1 Introduction: In our last lecture we discussed the Internet the World Wide Web and the Protocols that are used to facilitate communication

Appendix B Network, Routing, Firewall, and Basics This chapter provides an overview of IP networks, routing, and networking. Related Publications As you read this document, you may be directed to various

AutoDownload: SQL Server and Network Trouble Shooting AutoDownload uses Microsoft s SQL Server database software. Since 2005 when AutoDownload was first released Microsoft have also released new versions

IP Addressing 125 machine, called a RARP server, responds with the answer, and the identity crisis is over. RARP uses the information it does know about the machine s MAC address to learn its IP address

PLC Master / Slave Example A 2 PLC The Example This chapter provides an example of a PLC master / slave network and is designed for the experienced user. This chapter does not provide detailed descriptions

MODEL ATC-2000 TCP/IP TO RS-232/422/485 CONVERTER User s Manual 1.1 Introduction The ATC-2000 is a RS232/RS485 to TCP/IP converter integrated with a robust system and network management features designed

Chapter 15: Advanced Networks IT Essentials: PC Hardware and Software v4.0 1 Determine a Network Topology A site survey is a physical inspection of the building that will help determine a basic logical

Using the MODBUS Protocol with Omega CN8200, CN8240, and CN8260 Controllers Omega and Multi-Comm are trademarks of Omega. MODBUS is a trademark of AEG Schneider Automation, Inc. Platinel is a trademark

Introduction Computer Network. Interconnected collection of autonomous computers that are able to exchange information No master/slave relationship between the computers in the network Data Communications.

Getting Started with IntelleView POS Administrator Software Administrator s Guide for Software Version 1.2 About this Guide This administrator s guide explains how to start using your IntelleView POS (IntelleView)